> so, tie content to domains. A domain vouches for content works like that content having been a webpage or email from said domain. Signed hash in metadata is backwards compatible and its easy to make browsers etc display warnings on unsigned content, content from new domains, blacklisted domains, etc.
Okay, so I generate an image, open Instagram, take a picture of the generated image on a hi-res screen, and hit upload. Instagram dutifully signs it and shows it to the public with that signature. What does this buy us?
What problem are you pointing out? The only thing you’ve done is severed the audit trail, which removes any trust in the image that was imbued in it by the original poster. Now when people wonder if the image is authentic, they can only rely on how trustworthy you are, not how trustworthy the original source was. This is working as the GP intended as far as I can see. You can’t add unearned authenticity this way, only remove it.
I pointed out a way to silently sever the audit trail, at which point it sure seems like we've done a lot of work to roll out a whole new system that has such a gaping hole in it that there's no actual benefit.
It’s not a hole though. By severing the audit trail, all you have done is remove trust from your copy.